7 years of Indian Cyber Law Rohas Nagpal About the author Rohas Nagpal is the founder President of Asian School of Cyber Laws. He advises Governments and corporates around the world in cyber crime investigation and cyber law related issues. He has assisted the Government of India in drafting rules and regulations under the Information Technology Act, 2000. He has authored several books, papers and articles on cyber law, cyber terrorism, cyber crime investigation and financial law. Rohas lives in Pune (India) and blogs @ rohasnagpal.com Some of the papers authored by Rohas Nagpal 1. Internet Time Theft & the Indian Law 2. Legislative Approach to Digital Signatures 3. Indian Legal position on Cyber Terrorism 4. Defining Cyber Terrorism 5. The mathematics of terror 6. Cyber Terrorism in the context of Globalisation 7. Biometric based Digital Signature Scheme Some of the books authored by Rohas Nagpal 7 years of Indian Cyber Laws ABOUT THIS PAPER ................................................................................................... 2 JURISPRUDENCE OF INDIAN CYBER LAW.......................................................... 3 1. CYBER PORNOGRAPHY ....................................................................................... 6 AVNISH BAJAJ VS. STATE (N.C.T.) OF DELHI ........................................................... 11 2. ACCESSING PROTECTED SYSTEM ................................................................. 13 FIROS VS. STATE OF KERALA .................................................................................... 17 3. TAMPERING WITH COMPUTER SOURCE CODE .......................................... 20 SYED ASIFUDDIN AND ORS. VS. THE STATE OF ANDHRA PRADESH & ANR. ............ 25 4. BANKER’S BOOKS EVIDENCE ACT................................................................. 29 STATE BANK OF INDIA VS. RIZVI EXPORTS LTD ........................................................ 32 5. ADMISSIBILITY OF ELECTRONIC RECORDS ................................................ 33 STATE VS. MOHD. AFZAL AND OTHERS ..................................................................... 35 6. IS ATM A COMPUTER? ........................................................................................ 40 DIEBOLD SYSTEMS PVT LTD VS. THE COMMISSIONER OF COMMERCIAL TAXES ..... 40 7. PLACE OF ELECTRONIC CONTRACT.............................................................. 42 P.R. TRANSPORT AGENCY VS. UNION OF INDIA & OTHERS ...................................... 42 © 2007 Rohas Nagpal. All rights reserved. -1- 7 years of Indian Cyber Laws About this paper This paper is prepared for Clubhack 2007 in December 2007. Indian Cyber Laws were official born on 17th October 2000 with the Information Technology Act, 2000 coming into force. This paper discusses 7 interesting case laws that I feel highlight the development of cyber legal jurisprudence in India over the last 7 years. This paper begins with a short outline of the various rules, regulations and orders that have been passed over the last 7 years. It then moves onto a brief discussion on the Indian law relating to cyber pornography and features the Avnish Bajaj (CEO of bazzee.com – now a part of the ebay group of companies) case. The next issue covered by this paper is that of protected systems and features the Firos vs. State of Kerala case. The highly topical issue of tampering with computer source code is discussed next along with the Syed Asifuddin case. The importance of the amendments to the Banker’s Books Evidence Act is discussed next in the context of the State Bank of India vs. Rizvi Exports Ltd case. The issue of admissibility of electronic records is discussed in the context of the State vs. Mohd. Afzal and others case also known as the Parliament attack case. The paper ends with two cases, one focussing on whether an ATM is a computer and the other on the place of an electronic contract. -2- © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Jurisprudence of Indian Cyber Law The primary source of cyber law in India is the Information Technology Act, 2000 (IT Act) which came into force on 17 October 2000. The primary purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government. The IT Act also penalizes various cyber crimes and provides strict punishments (imprisonment terms upto 10 years and compensation up to Rs 1 crore). Minor errors in the Act were rectified by the Information Technology (Removal of Difficulties) Order, 2002 which was passed on 19 September 2002. An Executive Order dated 12 September 2002 contained instructions relating provisions of the Act in regard to protected systems and application for the issue of a Digital Signature Certificate. The IT Act was amended by the Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002. This introduced the concept of electronic cheques and truncated cheques. Information Technology (Use of Electronic Records and Digital Signatures) Rules, 2004 has provided the necessary legal framework for filing of documents with the Government as well as issue of licences by the Government. It also provides for payment and receipt of fees in relation to the Government bodies. On the same day, the Information Technology (Certifying Authorities) Rules, 2000 also came into force. These rules prescribe the eligibility, appointment and working of Certifying Authorities (CA). These rules also lay down the technical standards, procedures and security methods to be used by a CA. These rules were amended in 2003, 2004 and 2006. Information Technology (Certifying Authority) Regulations, 2001 came into force on 9 July 2001. They provide further technical standards and procedures to be used by a CA. Two important guidelines relating to CAs were issued. The first are the Guidelines for submission of application for licence to operate as a Certifying Authority under the IT Act. These guidelines were issued on 9th July 2001. © 2007 Rohas Nagpal. All rights reserved. -3- 7 years of Indian Cyber Laws Next were the Guidelines for submission of certificates and certification revocation lists to the Controller of Certifying Authorities for publishing in National Repository of Digital Certificates. These were issued on 16th December 2002. The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000 also came into force on 17th October 2000. These rules prescribe the appointment and working of the Cyber Regulations Appellate Tribunal (CRAT) whose primary role is to hear appeals against orders of the Adjudicating Officers. The Cyber Regulations Appellate Tribunal (Salary, Allowances and other terms and conditions of service of Presiding Officer) Rules, 2003 prescribe the salary, allowances and other terms for the Presiding Officer of the CRAT. Information Technology (Other powers of Civil Court vested in Cyber Appellate Tribunal) Rules 2003 provided some additional powers to the CRAT. On 17th March 2003, the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 were passed. These rules prescribe the qualifications and experience of Adjudicating Officers, whose chief responsibility under the IT Act is to adjudicate on cases such as unauthorized access, unauthorized copying of data, spread of viruses, denial of service attacks, disruption of computers, computer manipulation etc. These rules also prescribe the manner and mode of inquiry and adjudication by these officers. The appointment of adjudicating officers to decide the fate of multi-crore cyber crime cases in India was the result of the public interest litigation filed by students of Asian School of Cyber Laws (ASCL). The Government had not appointed the Adjudicating Officers or the Cyber Regulations Appellate Tribunal for almost 2 years after the passage of the IT Act. This prompted ASCL students to file a Public Interest Litigation (PIL) in the Bombay High Court asking for a speedy appointment of Adjudicating officers. The Bombay High Court, in its order dated 9th October 2002, directed the Central Government to announce the appointment of adjudicating officers in the public media to make people aware of the appointments. The division bench of the Mumbai High Court consisting of Hon’ble Justice -4- © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws A.P. Shah and Hon’ble Justice Ranjana Desai also ordered that the Cyber Regulations Appellate Tribunal be constituted within a reasonable time frame. Following this the Central Government passed an order dated 23rd March 2003 appointing the “Secretary of Department of Information Technology of each of the States or of Union Territories” of India as the adjudicating officers. The Information Technology (Security Procedure) Rules, 2004 came into force on 29th October 2004. They prescribe provisions relating to secure digital signatures and secure electronic records. Also relevant are the Information Technology (Other Standards) Rules, 2003. An important order relating to blocking of websites was passed on 27th February, 2003. Computer Emergency Response Team (CERT-IND) can instruct Department of Telecommunications (DOT) to block a website. The Indian Penal Code (as amended by the IT Act) penalizes several cyber crimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence etc. Digital Evidence is to be collected and proven in court as per the provisions of the Indian Evidence Act (as amended by the IT Act). In case of bank records, the provisions of the Bankers’ Book Evidence Act (as amended by the IT Act) are relevant. Investigation and adjudication of cyber crimes is done in accordance with the provisions of the Code of Criminal Procedure and the IT Act. The Reserve Bank of India Act was also amended by the IT Act. © 2007 Rohas Nagpal. All rights reserved. -5- 7 years of Indian Cyber Laws 1. Cyber Pornography There is no settled definition of pornography or obscenity. What is considered simply sexually explicit but not obscene in USA may well be considered obscene in India. There have been many attempts to limit the availability of pornographic content on the Internet by governments and law enforcement bodies all around the world but with little effect. Pornography on the Internet is available in different formats. These range from pictures and short animated movies, to sound files and stories. The Internet also makes it possible to discuss sex, see live sex acts, and arrange sexual activities from computer screens. Although the Indian Constitution guarantees the fundamental right of freedom of speech and expression, it has been held that a law against obscenity is constitutional. The Supreme Court has defined obscene as “offensive to modesty or decency; lewd, filthy, repulsive. Section 67 of the IT Act is the most serious Indian law penalizing cyber pornography. Other Indian laws that deal with pornography include the Indecent Representation of Women (Prohibition) Act and the Indian Penal Code. According to Section 67 of the IT Act Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees. This section explains what is considered to be obscene and also lists the acts in relation to such obscenity that are illegal. What constitutes obscenity in electronic form? To understand what constitutes obscenity in the electronic form, let us analyse the relevant terms: Any material in the context of this section would include video files, audio files, text files, images, animations etc. These may be stored on CDs, websites, computers, cell phones etc. -6- © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Lascivious is something that tends to excite lust. Appeals to, in this context, means “arouses interest”. Prurient interest is characterized by lustful thoughts. Effect means to produce or cause. Tend to deprave and corrupt in the context of this section means “to lead someone to become morally bad”. Persons here refers to natural persons (men, women, children) and not artificial persons (such as companies, societies etc). Having understood these terms, let us analyse what constitutes obscenity. To be considered obscene for the purpose of this section, the matter must satisfy at least one of the following conditions: 1. it must tend to excite lust, or 2. it must arouse interest in lustful thoughts, or 3. it must cause a person to become morally bad. The above conditions must be satisfied in respect of a person who is the likely target of the material. This can be understood from the following illustration: Illustration Sameer launches a website that contains information on sex education. The website is targeted at higher secondary school students. Pooja is one such student who is browsing the said website. Her illiterate young maid servant happens to see some explicit photographs on the website and is filled with lustful thoughts. This website would not be considered obscene. This is because it is most likely to be seen by educated youngsters who appreciate the knowledge sought to be imparted through the photographs. It is under very rare circumstances that an illiterate person would see these explicit images. Acts that are punishable in respect of obscenity To understand the acts that are punishable in respect of obscenity in the electronic form, let us analyse the relevant terms: © 2007 Rohas Nagpal. All rights reserved. -7- 7 years of Indian Cyber Laws Publishes means “to make known to others”. It is essential that at least one natural person (man, woman or child) becomes aware or understands the information that is published. Simply putting up a website that is never visited by any person does not amount to publishing. Illustration Sameer has just hosted a website containing his articles written in English. Sameer has not published the articles. An automated software released by an Internet search engine indexes Sameer’s website. Sameer has still not published the articles. A Chinese man, who does not understand a word of English, accidentally visits Sameer’s website. Sameer has still not published the articles. Pooja, who understands English, visits Sameer’s website and reads some of his articles. Now, Sameer has published his articles. Transmits means to pass along, convey or spread. It is not necessary that the “transmitter” actually understands the information being transmitted. Illustration Sameer has just hosted a website containing his articles. Pooja uses an Internet connection provided by Noodle Ltd to visit Sameer’s website. Noodle Ltd has transmitted Sameer’s articles to Pooja. However, Noodle employees are not actually aware of the information being transmitted by their computers. Causes to be published means “to bring about the publishing of something”. It is essential that the actual publishing must take place. Illustration Sameer has just hosted a website containing his articles. An automated software released by Noodle Internet search engine indexes Sameer’s website. But no human being has still used that index to read these articles. Noodle has not caused Sameer’s articles to be published. -8- © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Based upon the index created by Noodle, Pooja reaches Sameer’s website and reads some of his articles. Now, Noodle has caused Sameer’s articles to be published. Information in the electronic form includes websites, songs on a CD, movies on a DVD, jokes on a cell phone, photo sent as an email attachment etc. The punishment provided under this section is as under: 1. First offence: Simple or rigorous imprisonment up to 5 years and fine up to Rs 1 lakh 2. Subsequent offence: Simple or rigorous imprisonment up to 10 years and fine up to Rs 2 lakh © 2007 Rohas Nagpal. All rights reserved. -9- 7 years of Indian Cyber Laws Publishing cyber pornography (Summary) Actions covered Publishing, causing to be published transmitting cyber pornography. and Penalty First offence: Simple or rigorous imprisonment up to 5 years and fine up to Rs 1 lakh Subsequent offence: Simple or rigorous imprisonment up to 10 years and fine up to Rs 2 lakh Relevant authority Court of Session Appeal lies to High Court Investigation Authorities 1. Controller of Certifying Authorities (CCA) 2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent Points to mention in complaint 1. Complainant details 2. Suspect details 3. How and when the contravention was discovered and by whom 4. Other relevant information - 10 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Avnish Bajaj vs. State (N.C.T.) of Delhi (2005)3CompLJ364(Del), 116(2005)DLT427, 2005(79)DRJ576 IN THE HIGH COURT OF DELHI Bail Appl. No. 2284 of 2004 Decided On: 21.12.2004 Appellants: Avnish Bajaj Vs. Respondent: State (N.C.T.) of Delhi Summary of the case Avnish Bajaj, CEO of Baazee.com, an online auction website, was arrested for distributing cyber pornography. The charges stemmed from the fact that someone had sold copies of a pornographic CD through the Baazee.com website. The court granted him bail in the case. The major factors considered by the court were: 1. There was no prima facie evidence that Mr. Bajaj directly or indirectly published the pornography, 2. The actual obscene recording/clip could not be viewed on Baazee.com, 3. Mr. Bajaj was of Indian origin and had family ties in India. Background Avnish Bajaj is the CEO of Baazee.com, a customer-to-customer website, which facilitates the online sale of property. Baazee.com receives commission from such sales and also generates revenue from advertisements carried on its web pages. An obscene MMS clipping was listed for sale on Baazee.com on 27th November, 2004 in the name of “DPS Girl having fun". Some copies of the clipping were sold through Baazee.com and the seller received the money for the sale. Avnish Bajaj was arrested under section 67 of the Information Technology Act, 2000 and his bail application was rejected by the trial court. He then approached the Delhi High Court for bail. Issues raised by the Prosecution 1. The accused did not stop payment through banking channels after learning of the illegal nature of the transaction. 2. The item description "DPS Girl having fun" should have raised an alarm. © 2007 Rohas Nagpal. All rights reserved. - 11 - 7 years of Indian Cyber Laws Issues raised by the Defence 1. Section 67 of the Information Technology Act relates to publication of obscene material. It does not relate to transmission of such material. 2. On coming to learn of the illegal character of the sale, remedial steps were taken within 38 hours, since the intervening period was a weekend. Findings of the court 1. It has not been established from the evidence that any publication took place by the accused, directly or indirectly. 2. The actual obscene recording/clip could not be viewed on the portal of Baazee.com. 3. The sale consideration was not routed through the accused. 4. Prima facie Baazee.com had endeavored to plug the loophole. 5. The accused had actively participated in the investigations. 6. The nature of the alleged offence is such that the evidence has already crystallized and may even be tamper proof. 7. Even though the accused is a foreign citizen, he is of Indian origin with family roots in India. 8. The evidence that has been collected indicates only that the obscene material may have been unwittingly offered for sale on the website. 9. The evidence that has been collected indicates that the heinous nature of the alleged crime may be attributable to some other person. Decision of the court 1. The court granted bail to Mr. Bajaj subject to furnishing two sureties of Rs. 1 lakh each. 2. The court ordered Mr. Bajaj to surrender his passport and not to leave India without the permission of the Court. 3. The court also ordered Mr. Bajaj to participate and assist in the investigation. - 12 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws 2. Accessing Protected System According to section 70 of the IT Act (1) The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system. (2) The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-Section (1). (3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this Section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine. As per Executive order dated 12-9-2002, issued by Ministry of Communications &Information Technology details of every protected system should be provided to the Controller of Certifying Authorities. There are three elements to this section1. Gazette notification for declaring protected system. 2. Government order authorizing persons to access protected systems. 3. Punishment for access to protected systems by unauthorised persons. Let us discuss the relevant terms and issues in detail. Appropriate government is determined as per Schedule VII of the Constitution of India. Schedule VII of the Constitution of India contains 3 lists – Union, State and Concurrent. Parliament has the exclusive right to make laws on items covered in the Union List e.g. defence, Reserve Bank of India etc. State Governments have the exclusive right to make laws on items covered in the State List e.g. police, prisons etc. © 2007 Rohas Nagpal. All rights reserved. - 13 - 7 years of Indian Cyber Laws Parliament as well as the State Governments can make laws on matters in the Concurrent List e.g. forests, electricity etc. Illustration 1 If the computer network of the Indian Army is to be declared as a protected system, the Central Government would be the appropriate Government. Illustration 2 If the computer network of the Mumbai police is to be declared as a protected system, the Government of Maharashtra would be the appropriate Government. Illustration 3 If the computer network of the Forest Department in Maharashtra is to be declared as a protected system, the Central Government as well as the Government of Maharashtra would be the appropriate Government. All the acts, rules, regulations etc passed by the Central and State Government are notified in the Official Gazette. The Official Gazette in the electronic form is called the Electronic Gazette. A notification becomes effective on the date of its publication in the Gazette. The Government order may specify the authorised persons by name or by designation (e.g. all officers of rank of Inspector and above deputed in a particular department). The term “securing access” in this section is a grammatical variation of the term “secures access” as discussed earlier. Attempt to secure access is a very wide term and can best be understood through the following illustrations. Illustration 1 Sameer runs a password cracking software to crack the password of a protected system. Irrespective of whether he succeeds in cracking the password, he is guilty of attempting to secure access. - 14 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Illustration 2 Sameer runs automated denial of service software to bring down the firewall and securing a protected system. Irrespective of whether he succeeds in bringing down the firewall, he is guilty of attempting to secure access. Illustration 3 Sameer sends a Trojan by email to Pooja, who is the network administrator of a protected system. He plans to Trojanize Pooja’s computer and thereby gain unauthorised access to the protected system. Irrespective of whether he succeeds in finally accessing the protected system, he is guilty of attempting to secure access. The punishment provided for this section is rigorous or simple imprisonment of up to 10 years and fine. © 2007 Rohas Nagpal. All rights reserved. - 15 - 7 years of Indian Cyber Laws Unauthorised Access to Protected System (Summary) Actions covered Unauthorised access to protected system (or attempt thereof) Penalty Imprisonment up to 10 years and fine (this may be rigorous or simple imprisonment i.e. with or without hard labour) Relevant authority Court of Session Appeal lies to High Court Investigation Authorities 1. Controller of Certifying Authorities (CCA) 2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent Points to mention in complaint 1. Complainant details 2. Suspect details 3. Details of gazette notification and Government order 4. How and when the contravention was discovered and by whom 5. Other relevant information - 16 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Firos vs. State of Kerala AIR2006Ker279, 2006(3)KLT210, 2007(34)PTC98(Ker) IN THE HIGH COURT OF KERALA W.A. No. 685 of 2004 Decided On: 24.05.2006 Appellants: Firos Vs. Respondent: State of Kerala Summary of the case The Government of Kerala issued a notification u/s 70 of the Information Technology Act declaring the FRIENDS application software as a protected system. The author of the application software filed a petition in the High Court against the said notification. He also challenged the constitutional validity of section 70 of the IT Act. The Court upheld the validity of both, section 70 of the IT Act, as well as the notification issued by the Kerala Government. Background of the case Government of Kerala, as part of IT implementation in Government departments, conceived a project idea of "FRIENDS" (Fast, Reliable, Instant, Efficient Network for Disbursement of Services). The project envisaged development of a software for single window collection of bills payable to Government, local authorities, various statutory agencies, Government Corporations etc. towards tax, fees, charges for electricity, water, etc. A person by making a consolidated payment in a computer counter served through "FRIENDS" system can discharge all his liabilities due to the Government, local authorities and various agencies. The work of developing the "FRIENDS" software was entrusted to Firos. The application-software "FRIENDS" was first established at Thiruvananthapuram, free of cost, and since the project was successful, the Government decided to set up the same in all other 13 district centres. The Government of Kerala entered into a contract with Firos for setting up and commissioning "FRIENDS" software system in 13 centres all over Kerala for providing integrated services to the customers through a single window for a total consideration of Rs. 13 lakh. Firos set up FRIENDS service centres in all the 13 centres and they were paid the agreed remuneration. © 2007 Rohas Nagpal. All rights reserved. - 17 - 7 years of Indian Cyber Laws A dispute arose between Firos and the Government with regard to Intellectual Property Rights (IPR) in the FRIENDS software. The Government arranged to modify the FRIENDS software to suit its further requirements through another agency. Firos alleged violation of copyright and filed a criminal complaint against the Government. A counter case was filed by the Government against Firos. The Government of Kerala issued a notification under Section 70 of the Information Technology Act declaring the FRIENDS software installed in the computer system and computer network established in all centres in Kerala as a protected system. Firos filed a writ petition challenging section 70 of the IT Act. Issues raised by the Petitioner 1. The Government of Kerala notification under section 70 of the IT Act is arbitrary, discriminatory and violates Article 19(1)(g) of the Constitution of India. 2. The Government of Kerala notification under section 70 of the IT Act is and was against the statutory right conferred under Section 17 of the Copyright Act. 3. Section 70 of the IT Act which confers the unfettered powers on the State Government to declare any computer system as a protected system is arbitrary and unconstitutional and inconsistent with Copyright Act. 4. Section 70 of the IT Act has to be declared as illegal. 5. There is direct conflict between the provisions of Section 17 of the Copyright Act and Section 70 of the Information Technology Act. When there is conflict between two Acts, a harmonious construction has to be adopted. Conclusions of the court 1. There is no conflict between the provisions of Copyright Act and Section 70 of IT Act. 2. Section 70 of the IT Act is not unconstitutional. 3. While interpreting section 70 of the IT Act, a harmonious construction with Copyright Act is needed. 4. Section 70 of the IT Act is not against but subject to the provisions of the Copyright Act. - 18 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws 5. Government cannot unilaterally declare any system as "protected" other than "Government work" falling under section 2(k) of the Copyright Act on which Govt.'s copyright is recognised under Section 17(d) of the said Act. Section 2(k) of the Copyright Act (k) 'Government work' means a work which is made or published by or under the direction or control of (i) the Government or any department of the Government; (ii) any Legislature in India; (iii) any Court, Tribunal or other judicial authority in India; Section 17(d) of the Copyright Act 17. First owner of copyright:- Subject to the provisions of this Act, the author of a work shall be the owner of the copyright therein; (d) in the case of a Government work, Government shall, in the absence of any agreement to the contrary, be the first owner of the copyright therein; © 2007 Rohas Nagpal. All rights reserved. - 19 - 7 years of Indian Cyber Laws 3. Tampering with computer source code According to section 65 of the IT Act Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. Explanation.—For the purposes of this section, "computer source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form. Computer source code is the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form. Computer source code need not only be in the electronic form. It can be printed on paper (e.g. printouts of flowcharts for designing a software application). Let us understand this using some illustrations: Illustration 1 Pooja has created a simple computer program. When a user double-clicks on the hello.exe file created by Pooja, the following small screen opens up: Hello World The hello.exe file created by Pooja is the executable file that she can give to others. The small screen that opens up is the output of the software program written by Pooja. Pooja has created the executable file using the programming language called “C”. Using this programming language, she created the following lines of code: - 20 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws main() { printf("hello, "); printf("world"); printf("\n"); } These lines of code are referred to as the source code. Illustration 2 Noodle Ltd has created software for viewing and creating image files. The programmers who developed this program used the computer-programming language called Visual C++. Using the syntax of these languages, they wrote thousands of lines of code. This code is then compiled into an executable file and given to end-users. All that the end user has to do is double-click on a file (called setup.exe) and the program gets installed on his computer. The lines of code are known as computer source code. Illustration 3 Pooja is creating a simple website. A registered user of the website would have to enter the correct password to access the content of the website. She creates the following flowchart outlining the functioning of the authentication process of the website. Login page Enter password Incorrect Invalid password © 2007 Rohas Nagpal. All rights reserved. Check password Correct Logged in page - 21 - 7 years of Indian Cyber Laws She takes a printout of the flowchart to discuss it with her client. The printout is source code. This section relates to computer source code that is either: 1. required to be kept (e.g. in a cell phone, hard disk, server etc), or 2. required to be maintained by law The following acts are prohibited in respect of the source code 1. knowingly concealing or destroying or altering 2. intentionally concealing or destroying or altering 3. knowingly causing another to conceal or destroy or alter 4. intentionally causing another to conceal or destroy or alter Let us discuss the relevant terms and issues in detail. Conceal simply means “to hide” Illustration Pooja has created a software program. The source code files of the program are contained in a folder on Pooja’s laptop. Sameer changes the properties of the folder and makes it a “hidden” folder. Although the source code folder still exists on Pooja’s computer, she can no longer see it. Sameer has concealed the source code. Destroys means “to make useless”, “cause to cease to exist”, “nullify”, “to demolish”, or “reduce to nothing”. Destroying source code also includes acts that render the source code useless for the purpose for which it had been created. Illustration 1 Pooja has created a software program. The source code files of the program are contained in a folder on Pooja’s laptop. Sameer deletes the folder. He has destroyed the source code. Illustration 2 Pooja has created a software program. The source code files of the program are contained in a folder on Pooja’s laptop. Sameer deletes one of the source code - 22 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws files. Now the source code cannot be compiled into the final product. He has destroyed the source code. Illustration 3 Pooja is designing a software program. She draws out the flowchart depicting the outline of the functioning of the program. Sameer tears up the paper on which she had drawn the flowchart. Sameer has destroyed the source code. Alters, in relation to source code, means “modifies”, “changes”, “makes different” etc. This modification or change could be in respect to size, properties, format, value, utility etc”. Illustration Pooja has created a webpage for her client. The source code of the webpage is in HTML (Hyper Text Markup Language) format. Sameer changes the file from HTML to text format. He has altered the source code. © 2007 Rohas Nagpal. All rights reserved. - 23 - 7 years of Indian Cyber Laws Tampering with computer source code (Summary) Actions covered Knowingly or intentionally concealing, altering or destroying computer source code (or causing someone else to do so). Penalty Imprisonment up to 3 years and / or fine up to Rs 2 lakh Relevant authority Judicial Magistrate First Class Appeal lies to Court of Session Investigation Authorities 1. Controller of Certifying Authorities (CCA) 2. Person authorised by CCA 3. Police Officer not below the rank of Deputy Superintendent Points to mention in complaint 1. Complainant details 2. Suspect details 3. How and when the contravention was discovered and by whom 4. Damage suffered 5. Other relevant information - 24 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Syed Asifuddin and Ors. Vs. The State of Andhra Pradesh & Anr. 2005CriLJ4314 IN THE HIGH COURT OF ANDHRA PRADESH Cri. Petn. Nos. 2601 and 2602 of 2003 Decided On: 29.07.2005 Appellants: Syed Asifuddin and Ors. Vs. Respondent: The State of Andhra Pradesh and Anr. Summary of the case Tata Indicom employees were arrested for manipulation of the electronic 32-bit number (ESN) programmed into cell phones that were exclusively franchised to Reliance Infocomm. The court held that such manipulation amounted to tampering with computer source code as envisaged by section 65 of the Information Technology Act, 2000. Background of the case Reliance Infocomm launched a scheme under which a cell phone subscriber was given a digital handset worth Rs. 10,500 as well as service bundle for 3 years with an initial payment of Rs. 3350 and monthly outflow of Rs. 600. The subscriber was also provided a 1 year warranty and 3 year insurance on the handset. The condition was that the handset was technologically locked so that it would only work with the Reliance Infocomm services. If the customer wanted to leave Reliance services, he would have to pay some charges including the true price of the handset. Since the handset was of a high quality, the market response to the scheme was phenomenal. Unidentified persons contacted Reliance customers with an offer to change to a lower priced Tata Indicom scheme. As part of the deal, their phone would be technologically “unlocked” so that the exclusive Reliance handsets could be used for the Tata Indicom service. Reliance officials came to know about this “unlocking” by Tata employees and lodged a First Information Report (FIR) under various provisions of the Indian Penal Code, Information Technology Act and the Copyright Act. The police then raided some offices of Tata Indicom in Andhra Pradesh and arrested a few Tata Tele Services Limited officials for reprogramming the Reliance handsets. These arrested persons approached the High Court requesting the court to quash the FIR on the grounds that their acts did not violate the said legal provisions. © 2007 Rohas Nagpal. All rights reserved. - 25 - 7 years of Indian Cyber Laws Issues raised by the Defence 1. It is always open for the subscriber to change from one service provider to the other service provider. 2. The subscriber who wants to change from Tata Indicom always takes his handset, to other service providers to get service connected and to give up Tata services. 3. The handsets brought to Tata by Reliance subscribers are capable of accommodating two separate lines and can be activated on principal assignment mobile (NAM 1 or NAM 2). The mere activation of NAM 1 or NAM 2 by Tata in relation to a handset brought to it by a Reliance subscriber does not amount to any crime. 4. A telephone handset is neither a computer nor a computer system containing a computer programme. 5. There is no law in force which requires the maintenance of "computer source code". Hence section 65 of the Information Technology Act does not apply. Findings of the court 1. As per section 2 of the Information Technology Act, any electronic, magnetic or optical device used for storage of information received through satellite, microwave or other communication media and the devices which are programmable and capable of retrieving any information by manipulations of electronic, magnetic or optical impulses is a computer which can be used as computer system in a computer network. 2. The instructions or programme given to computer in a language known to the computer are not seen by the users of the computer/consumers of computer functions. This is known as source code in computer parlance. 3. A city can be divided into several cells. A person using a phone in one cell will be plugged to the central transmitter of the telecom provider. This central transmitter will receive the signals and then divert them to the relevant phones. 4. When the person moves from one cell to another cell in the same city, the system i.e., Mobile Telephone Switching Office (MTSO) automatically transfers signals from tower to tower. - 26 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws 5. All cell phone service providers have special codes dedicated to them and these are intended to identify the phone, the phone's owner and the service provider. 6. System Identification Code (SID) is a unique 5-digit number that is assigned to each carrier by the licensor. Every cell phone operator is required to obtain SID from the Government of India. SID is programmed into a phone when one purchases a service plan and has the phone activated. 7. Electronic Serial Number (ESN) is a unique 32-bit number programmed into the phone when it is manufactured by the instrument manufacturer. ESN is a permanent part of the phone. 8. Mobile Identification Number (MIN) is a 10-digit number derived from cell phone number given to a subscriber. MIN is programmed into a phone when one purchases a service plan. 9. When the cell phone is switched on, it listens for a SID on the control channel, which is a special frequency used by the phone and base station to talk to one another about things like call set-up and channel changing. 10. If the phone cannot find any control channels to listen to, the cell phone displays "no service" message as it is out of range. 11. When cell phone receives SID, it compares it to the SID programmed into the phone and if these code numbers match, cell knows that it is communicating with its home system. Along with the SID, the phone also transmits registration request and MTSO which keeps track of the phone's location in a database, knows which cell phone you are using and gives a ring. 12. So as to match with the system of the cell phone provider, every cell phone contains a circuit board, which is the brain of the phone. It is a combination of several computer chips programmed to convert analog to digital and digital to analog conversion and translation of the outgoing audio signals and incoming signals. © 2007 Rohas Nagpal. All rights reserved. - 27 - 7 years of Indian Cyber Laws 13. This is a micro processor similar to the one generally used in the compact disk of a desktop computer. Without the circuit board, cell phone instrument cannot function. 14. When a Reliance customer opts for its services, the MIN and SID are programmed into the handset. If some one manipulates and alters ESN, handsets which are exclusively used by them become usable by other service providers like TATA Indicom. Conclusions of the court 1. A cell phone is a computer as envisaged under the Information Technology Act. 2. ESN and SID come within the definition of “computer source code” under section 65 of the Information Technology Act. 3. When ESN is altered, the offence under Section 65 of Information Technology Act is attracted because every service provider has to maintain its own SID code and also give a customer specific number to each instrument used to avail the services provided. 4. Whether a cell phone operator is maintaining computer source code, is a matter of evidence. 5. In Section 65 of Information Technology Act the disjunctive word "or" is used in between the two phrases – a. "when the computer source code is required to be kept" b. - 28 - "maintained by law for the time being in force" © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws 4. Banker’s Books Evidence Act The Banker’s Books Evidence Act lays down the rules of evidence in relation to bankers’ books. Generally, bankers’ books would be adduced as evidence where any financial transaction involving the banking system is in question or has to be examined. The IT Act has amended the Banker’s Book Evidence Act to confer equal status on electronic records as compared to paper based documents. Bankers' books include ledgers, day-books, cash-books, account-books and all other books used in the ordinary business of a bank. These can be in paper form or printouts of data stored in bank computers. If a “certified copy” of printouts of bankers’ books has to be given, then such printouts must be accompanied by three certificates. Let us take a simple illustration to understand the contents of these certificates. Note: These certificates are for illustration purposes only and do not constitute legal advise. Please do not use in a real scenario. If you require legally valid certificate formats for use in a real scenario, please email us on info@asianlaws.org Illustration Sameer issued a cheque to Pooja for Rs 3 lakh. The cheque was dishonoured by Sameer’s bank (Noodle Bank Ltd) as the balance in Sameer’s account was only Rs 50,000. Pooja has filed a case against Sameer under section 138 of the Negotiable Instruments Act for the cheque “bouncing”. Pooja has requested Noodle Bank for a certified copy of Sameer’s bank account statement (for January 2008) for producing in court as evidence. The printout of the bank statement will be accompanied by the following 3 certificates: Certificate u/s 2A(a) of the Banker’s Books Evidence Act I, the undersigned, state to the best of my knowledge and belief that: 1. Mr. Sameer Sen is holding account no. 12345 with the Pune branch of the Noodle Bank Ltd. © 2007 Rohas Nagpal. All rights reserved. - 29 - 7 years of Indian Cyber Laws 2. The accompanying bank account statement is a printout of the transactions and balances in the said bank account for the period beginning 1st January 2008 and ending 31st January 2008. Siddharth Sharma Manager, Pune branch Noodle Bank Ltd Certificate u/s 2A(b) of the Banker’s Books Evidence Act I, the undersigned, state to the best of my knowledge and belief that the enclosed “Information Security Policy of Noodle Bank Ltd” contains the true and correct information relating to the computer system used to store bank account related information of Noodle Bank customers and including the following information: (A) the safeguards adopted by the system to ensure that data is entered or any other operation performed only by authorised persons; (B) the safeguards adopted to prevent and detect unauthorised change of data; (C) the safeguards available to retrieve data that is lost due to systemic failure or any other reasons; (D) the manner in which data is transferred from the system to removable media like floppies, discs, tapes or other electro-magnetic data storage devices; (E) the mode of verification in order to ensure that data has been accurately transferred to such removable media; (F) the mode of identification of such data storage devices; (G) the arrangements for the storage and custody of such storage devices; (H) the safeguards to prevent and detect any tampering with the system; and - 30 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws (I) other factors that will vouch for the integrity and accuracy of the system. Pooja Singh System Administrator, Pune branch Noodle Ltd Enclosed: Information Security Policy of Noodle Bank Ltd Certificate u/s 2A(c) of the Banker’s Books Evidence Act I, the undersigned, state to the best of my knowledge and belief that: 1. The Noodle computer system described more accurately in the “Information Security Policy of Noodle Bank Ltd” operated properly at the material time when the said system was used to take the printout relating to the transactions and balances in the bank account no. 12345 for the period beginning 1st January 2008 and ending 31st January 2008 was taken. 2. The printout referred to above is appropriately derived from the relevant data stored in the said system. Pooja Singh System Administrator, Pune branch Noodle Ltd © 2007 Rohas Nagpal. All rights reserved. - 31 - 7 years of Indian Cyber Laws State Bank of India vs. Rizvi Exports Ltd II(2003)BC96 DEBT RECOVERY APPELLATE TRIBUNAL, ALLAHABAD T.A. No. 1593 of 2000 Decided On: 01.10.2002 Appellants: State Bank of India Vs. Respondent: Rizvi Exports Ltd. State Bank of India (SBI) had filed a case to recover money from some persons who had taken various loans from it. As part of the evidence, SBI submitted printouts of statement of accounts maintained in SBI’s computer systems. The relevant certificates as mandated by the Bankers Books of Evidence Act (as amended by Information Technology Act) had not been attached to these printouts. The Court held that these documents were not admissible as evidence. - 32 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws 5. Admissibility of electronic records Section 65B of the Indian Evidence Act relates to admissibility of electronic records as evidence in a Court of law. The computer holding the original evidence does not need to be produced in court. A printout of the record, or a copy on a CD ROM, hard disk, floppy etc can be produced in court. However some conditions need to be met and a certificate needs to be provided. These conditions and the certificate are best explained using a detailed illustration. Note: This certificate is for illustration purposes only and does not constitute legal advice. Please do not use in a real scenario. If you require a legally valid certificate format for use in a real scenario, please email us on info@asianlaws.org Illustration Noodle Ltd is an Internet Service Provider. The police are investigating a cyber crime and need details about the user of a particular IP address. They have requested Noodle for these details. What Noodle is going to provide the police is a printout of records stored in its computer systems. The following authenticated certificate has to be attached to this printout. Certificate u/s 65B of Indian Evidence Act issued in relation to the printout titled “Information relating to IP address 10.232.211.84” I, the undersigned, state to the best of my knowledge and belief that: 1. The printout titled “Information relating to IP address 10.232.211.84” issued on 1st January 2008 contains information stored in the ABC server being used by Noodle Ltd to provide Internet connection services to its customers in India. 2. The said printout was produced by the ABC server during the period over which the ABC server was used regularly to store and process information for the purposes of activities regularly carried on over that period by lawfully authorised persons. 3. During the said period, information of the kind contained in the electronic record was regularly fed into the ABC server in the ordinary course of the said activities. © 2007 Rohas Nagpal. All rights reserved. - 33 - 7 years of Indian Cyber Laws 4. Throughout the material part of the said period, the computer was operating properly. 5. The information contained in the electronic record reproduces such information fed into the computer in the ordinary course of the said activities. 6. I am in a responsible official position in relation to the operation of the ABC server. Signed on this 1st day of January 2008 Pooja Singh System Administrator, Noodle Ltd - 34 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws State vs. Mohd. Afzal and others 2003VIIAD(Delhi)1, 107(2003)DLT385, 2003(71)DRJ178, 2003(3)JCC1669 IN THE HIGH COURT OF DELHI Reference No. 1/2003 and Crl. A. No. 43/2003 Decided On: 29.10.2003 Appellants: State Vs. Respondent: Mohd. Afzal and Ors. [Alongwith Crl. A. Nos. 59 and 80/2003] AND Appellants: Mohd. Afzal Vs. Respondent: State [Along with Crl. A. Nos. 12, 19 and 36/2003] Summary of the case Several terrorists had attacked the Parliament House on 13th December, 2001. Digital evidence played an important role during their prosecution. The accused had argued that computers and digital evidence can easily be tampered and hence should not be relied upon. The Court dismissed these arguments. It said that challenges to the accuracy of computer evidence on the ground of misuse of system or operating failure or interpolation, should be established by the challenger. Mere theoretical and generic doubts cannot be cast on the evidence. Background of the case Several terrorists had attacked the Parliament House on 13th December, 2001 intending to take as hostage or kill the Prime Minister, Central Ministers, Vice-President of India and Members of Parliament. Several terrorists were killed by the police in the encounter and several persons were arrested in connection with the attack. The Designated Judge of the Special Court constituted under Section 23 of the Prevention of Terrorist Activities Act, 2002 (POTA) had convicted several accused persons. They filed an appeal in the Delhi High Court challenging the legality and validity of the trial and the sustainability of the judgment. Digital evidence played an important role in this case. Computerized cell phone call logs were heavily relied upon in this case. A laptop, several smart media storage disks and devices were recovered from a truck intercepted at Srinagar pursuant to information given by two of the suspects. These articles were deposited in the police “malkhana” on 16th December, 2001. Although the laptop was deposited in the “malkhana” on 16th December, some files were written onto the laptop on 21st December. © 2007 Rohas Nagpal. All rights reserved. - 35 - 7 years of Indian Cyber Laws The laptops were forensically examined by a private computer engineer and the Assistant Government Examiner of Questioned Documents, Bureau of Police Research, Hyderabad. The laptop contained files relating to identity cards and stickers that were used by the terrorists to enter the Parliament premises. Cyber forensic examination showed that the laptop was used for creating, editing and viewing image files (mostly identity cards). Evidence found on the laptop included: 1. fake identity cards, 2. video files containing clippings of political leaders with Parliament in background shot from TV news channels, 3. scanned images of front and rear of a genuine identity card, 4. image file of design of Ministry of Home Affairs car sticker, 5. the game 'wolf pack' with the user name 'Ashiq'. Ashiq was the name in one of the fake identity cards used by the terrorists. Issues raised by the Prosecution 2. Analysis of the Windows registry files of the suspect laptop showed that its hard disk had not been changed. 3. If internet has been accessed through a computer then the actual date of such access would be reflected. Additionally, if any change is made to the date setting of the computer, it would be reflected in the history i.e. in the REG file. 4. A hard disc cannot be changed without it being reflected in the history maintained in the REG file. 5. It was not possible to alter the date of any particular file unless the system date had been altered. 6. The files written on the laptop on 21st December were “self generating and self written” system files. These were created automatically by the laptop’s operating system when the laptop was accessed by law enforcement agencies at the “malkhana”. Issues raised by the Defence 2. Although the laptop was deposited in the Government “malkhana” on 16th December, some files were written on the laptop on 21st December. - 36 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws 3. The date setting on a computer can be edited. 4. In the absence of verified time setting and reliable information about the hard disc being original, there is no certainty that the material found on a later date, was exactly the material, which may have existed on a previous date. 5. Hard disc is a replaceable component and could be formatted. If a hard disc was replaced, it would not contain the data which was stored earlier unless it was re-fed. 6. The Windows registry files can be edited. 7. The back up of complete suspect hard disc was not taken by the law enforcement agencies. 8. The date setting on a file is related to the date setting on the computer. It is possible to modify this date. 9. Information stored in a computer is on a magnetic medium which can easily be polarized. Therefore, any data in a computer can be changed by a knowledgeable person. 10. The date of last access to a file is treated differently by different software. The time of last access was meaningless in the absence of knowledge as to what software is used to process the file. 11. Software which was installed in a computer could be modified and un-installed without leaving any trace. Points considered by the court 1. In effect, substantially, Section 65B of the Indian Evidence Act and Section 69 of the Act in England have same effect. 2. Section 69 of The Police & Criminal Evidence Act, 1984 of England 280 reads as under: In any proceedings, a statement in a document produced by a computer shall not be admissible as evidence of any fact stated therein unless it is shown (a) that there are no reasonable grounds for believing that the statement is inaccurate because of improper use of the computer. © 2007 Rohas Nagpal. All rights reserved. - 37 - 7 years of Indian Cyber Laws (b) that at all material times the computer was operating properly, or if not, that any respect in which it was not operating properly or was out of operation was not such as to affect the production of the document or the accuracy of it contents;.... 3. It was held by Lord Griffiths In R.V. Shepherd, 1993 A.C. 380., that computers vary immensely in their complexity and in the operations they perform. The nature of the evidence to discharge the burden of showing that there has been no improper use of the computer and that it was operating properly will inevitably vary from case to case. He further stated that “I suspect that it will very rarely be necessary to call an expert and that in the vast majority of cases it will be possible to discharge the burden by calling a witness who is familiar with the operation of the computer in the sense of knowing what the computer is required to do and who can say that it is doing it properly." 4. In DPP v. Me. Kewon, (1997) 1 Criminal Appeal 155, Lord Hoffman discussed this section 69. He said that it cannot be argued that “any malfunction is sufficient to cast doubt upon the capacity of the computer to process information correctly. A malfunction is relevant if it affects the way in which the computer processes, stores or retrieves the information used to generate the statement tendered in evidence. Other malfunctions do not matter”. 5. The Law Commission in England held that “Realistically, therefore, computers must be regarded as imperfect devices." The Law Commission recommended the deletion of this section 69 and subsequently it was deleted. 6. The Law Commission report in England said that “The complexity of modern systems makes it relatively easy to establish a reasonable doubt in a juror's mind as to whether the computer was operating properly.... We are concerned about smoke-screens being raised by cross-examination which focuses in general terms on the fallibility of computers rather than the reliability of the particular evidence. The absence of a presumption that the computer is working means that it is relatively easy to raise a smoke-screen." 7. In England, the common law presumption that "in the absence of evidence to the contrary the courts will - 38 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws presume that mechanical instruments were in order at the material time", operates with full force. 8. Development in computer networking, access, control, monitoring and systems security are increasingly making it difficult for computer errors to go undetected. Most computer errors are immediately detected or the resultant error in the date is immediately recorded. Conclusion of the court If someone challenges the accuracy of computer evidence on the ground of misuse of system or operating failure or interpolation, then the challenger has to establish the challenge. Mere theoretical and generic doubts cannot be cast on the evidence. © 2007 Rohas Nagpal. All rights reserved. - 39 - 7 years of Indian Cyber Laws 6. Is ATM a computer? Diebold Systems Pvt Ltd vs. The Commissioner of Commercial Taxes ILR2005KAR2210, [2006]144STC59(Kar) IN THE HIGH COURT OF KARNATAKA Sales Tax Appeal No. 2/2004 Decided On: 31.01.2005 Appellants: Diebold Systems Pvt. Ltd. Vs. Respondent: The Commissioner of Commercial Taxes Section 2 of Information Technology Act, 2000 Background Diebold Systems Pvt Ltd manufactures and supplies Automated Teller Machines (ATM). Diebold sought a clarification from the Advance Ruling Authority (ARA) in Karnataka on the rate of tax applicable under the Karnataka Sales Tax Act, 1957 on sale of Automated Teller Machines. The majority view of the ARA was to classify ATMs as "computer terminals" liable for 4% basic tax as they would fall under Entry 20(ii)(b) of Part 'C' of Second Schedule to the Karnataka Sales Tax Act. The Chairman of the ARA dissented from the majority view. In his opinion, ATMs would fit into the description of electronic goods, parts and accessories thereof. They would thus attract basic rate of tax of 12% and would fall under Entry 4 of Part 'E' of the Second Schedule to the KST Act. The Commissioner of Commercial Taxes was of the view that the ARA ruling was erroneous and passed an order that ATMs cannot be classified as computer terminals. - 40 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Findings of the court 1. The enlarged definition of "computers" in the Information Technology Act cannot be made use of interpreting an Entry under fiscal legislation. 2. An Automatic Teller Machine is an electronic device, which allows a bank's customer to make cash withdrawals, and check their account balances at any time without the need of human teller. 3. ATM is not a computer by itself and it is connected to a computer that performs the tasks requested by the person using ATM's. The computer is connected electronically to many ATM's that may be located from some distance from the computer. Decision of the court ATMs are not computers, but are electronic devices under the Karnataka Sales Tax Act, 1957 © 2007 Rohas Nagpal. All rights reserved. - 41 - 7 years of Indian Cyber Laws 7. Place of Electronic Contract P.R. Transport Agency vs. Union of India & others AIR2006All23, 2006(1)AWC504 IN THE HIGH COURT OF ALLAHABAD Civil Misc. Writ Petition No. 58468 of 2005 Decided On: 24.09.2005 Appellants: P.R. Transport Agency through its partner Sri Prabhakar Singh Vs. Respondent: Union of India (UOI) through Secretary, Ministry of Coal, Bharat Coking Coal Ltd. through its Chairman, Chief Sales Manager Road Sales, Bharat Coking Coal Ltd. and Metal and Scrap Trading Corporation Ltd. (MSTC Ltd.) through its Chairman cum Managing Director Background of the case Bharat Coking Coal Ltd (BCC) held an e-auction for coal in different lots. P.R. Transport Agency’s (PRTA) bid was accepted for 4000 metric tons of coal from Dobari Colliery. The acceptance letter was issued on 19th July 2005 by e-mail to PRTA’s e-mail address. Acting upon this acceptance, PRTA deposited the full amount of Rs. 81.12 lakh through a cheque in favour of BCC. This cheque was accepted and encashed by BCC. BCC did not deliver the coal to PRTA. Instead it e-mailed PRTA saying that the sale as well as the e-auction in favour of PRTA stood cancelled "due to some technical and unavoidable reasons". The only reason for this cancellation was that there was some other person whose bid for the same coal was slightly higher than that of PRTA. Due to some flaw in the computer or its programme or feeding of data the higher bid had not been considered earlier. This communication was challenged by PRTA in the High Court of Allahabad. [Note: Allahabad is the state of Uttar Pradesh (UP)] BCC objected to the “territorial jurisdiction” of the Court on the grounds that no part of the cause of action had arisen within U.P. Issue raised by BCC The High Court at Allahabad (in U.P.) had no jurisdiction as no part of the cause of action had arisen within U.P. - 42 - © 2007 Rohas Nagpal. All rights reserved. 7 years of Indian Cyber Laws Issues raised by PRTA 1. The communication of the acceptance of the tender was received by the petitioner by e-mail at Chandauli (U.P.). Hence the contract (from which the dispute arose) was completed at Chandauli (U.P). The completion of the contract is a part of the "cause of action'. 2. The place where the contract was completed by receipt of communication of acceptance is a place where 'part of cause of action' arises. Points considered by the court 1. In reference to contracts made by telephone, telex or fax, the contract is complete when and where the acceptance is received. However, this principle can apply only where the transmitting terminal and the receiving terminal are at fixed points. 2. In case of e-mail, the data (in this case acceptance) can be transmitted from any where by the e-mail account holder. It goes to the memory of a 'server' which may be located anywhere and can be retrieved by the addressee account holder from anywhere in the world. Therefore, there is no fixed point either of transmission or of receipt. 3. Section 13(3) of the Information Technology Act has covered this difficulty of “no fixed point either of transmission or of receipt”. According to this section “...an electronic record is deemed to be received at the place where the addressee has his place of business." 4. The acceptance of the tender will be deemed to be received by PRTA at the places where it has place of business. In this case it is Varanasi and Chandauli (both in U.P.) Decision of the court 1. The acceptance was received by PRTA at Chandauli / Varanasi. The contract became complete by receipt of such acceptance. 2. Both these places are within the territorial jurisdiction of the High Court of Allahabad. Therefore, a part of the cause of action has arisen in U.P. and the court has territorial jurisdiction. © 2007 Rohas Nagpal. All rights reserved. - 43 - Head Office 6th Floor, Pride Senate, Opp International Convention Center, Senapati Bapat Road, Pune - 411016. India Contact Numbers +91-20-25667148 +91-20-40033365 +91-20-65206029 +91-20-6400 0000 +91-20-6400 6464 Fax: +91-20-25884192 Email: info@asianlaws.org URL: www.asianlaws.org